You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/03/12 22:03:23 UTC
DO NOT REPLY [Bug 52892] New: Require expr and %{REMOTE_USER}
https://issues.apache.org/bugzilla/show_bug.cgi?id=52892
Bug #: 52892
Summary: Require expr and %{REMOTE_USER}
Product: Apache httpd-2
Version: 2.4.1
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_core
AssignedTo: bugs@httpd.apache.org
ReportedBy: registration@blackdot.be
Classification: Unclassified
(May have mislabled the compenent, not sure if it is in authn_core or
authz_core)
What I'm trying to do:
| <RequireAll>
| Require ssl-verify-client
| Require valid-user
| Require expr ( \
| (%{SSL_CLIENT_S_DN_O} == "Company") &&
\
| (%{SSL_CLIENT_S_DN_OU} == "Staff") &&
\
| (%{REMOTE_USER} ==
%{SSL_CLIENT_S_DN_CN}) \
| )
| </RequireAll>
Need valid Client Cert + Login, login needs to be the CN of the certificate.
What I expect to happen: this should work
What I see: %{REMOTE_USER} is empty!
> The expression parser provides a number of variables of the form %{HTTP_HOST}. Note that the value of a variable may depend on the phase of the request processing in which it is evaluated. For example, an expression used in an <If > directive is evaluated before authentication is done. Therefore, %{REMOTE_USER} will not be set in this case.
It's noted in the docs it can be empty... however:
| Require user hardcodeduser
Works fine... the information seems to be available at this stage.
So why isn't it exported.
For Comepleteness:
I also tried "Require user %{SSL_CLIENT_S_DN_CN}" but that didn't work... I
wasn't expecting it to work though.
I don't think what I'm trying to do is unreasonable, if there is a way to do
it, it would be awesome.
Hopefully this is really a bug and not a limitation!
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52892] Require expr and %{REMOTE_USER}
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52892
--- Comment #2 from Jorge Schrauwen <re...@blackdot.be> 2012-03-13 17:33:47 UTC ---
(In reply to comment #1)
> The require statements are actually executed twice, once before auth and once
> after auth. Auth is only triggered if a Require statement says that its result
> may change after auth and the change of this statement would actually make a
> difference in the end result. However, Require expr currently lacks the
> necessary logic for this.
>
Will it support it in the future?
> You could try (untested):
>
> <RequireAll>
> Require ssl-verify-client
> Require valid-user
> <RequireAny>
> Require user workaround_for_PR_52892
> Require expr ...
> </RequireAny>
> </RequireAll>
>
> Then the Require user would trigger auth. Of course, workaround_for_PR_52892
> must not exist as a user or you have a security problem.
I've tested it and it works!
cert for user1 with user2 as login --> fail
cert for user1 with user1 as login --> success
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 52892] Require expr and %{REMOTE_USER}
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52892
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk
--- Comment #4 from Stefan Fritsch <sf...@sfritsch.de> ---
fixed in trunk as r1351072
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 52892] Require expr and %{REMOTE_USER}
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52892
Rainer Jung <ra...@kippdata.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Rainer Jung <ra...@kippdata.de> ---
Fixed for 2.4 in r1364266.
Released with 2.4.3.
Does not apply to 2.2.x.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52892] Require expr and %{REMOTE_USER}
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52892
--- Comment #1 from Stefan Fritsch <sf...@sfritsch.de> 2012-03-13 07:44:36 UTC ---
The require statements are actually executed twice, once before auth and once
after auth. Auth is only triggered if a Require statement says that its result
may change after auth and the change of this statement would actually make a
difference in the end result. However, Require expr currently lacks the
necessary logic for this.
You could try (untested):
<RequireAll>
Require ssl-verify-client
Require valid-user
<RequireAny>
Require user workaround_for_PR_52892
Require expr ...
</RequireAny>
</RequireAll>
Then the Require user would trigger auth. Of course, workaround_for_PR_52892
must not exist as a user or you have a security problem.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52892] Require expr and %{REMOTE_USER}
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52892
--- Comment #3 from Stefan Fritsch <sf...@sfritsch.de> 2012-03-13 19:30:37 UTC ---
(In reply to comment #2)
> > However, Require expr currently lacks the
> > necessary logic for this.
> >
> Will it support it in the future?
yes
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org